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^^ ■ Abstract 

l_J , Sequential propositional logic deviates from ordinary propositional logic by taking 

into account that during the sequential evaluation of a propositional statement, atomic 
£_) | propositions may yield different Boolean values at repeated occurrences. We introduce 

'free valuations' to capture this dynamics of a propositional statement's environment. 
The resulting logic is phrased as an equationally specified algebra rather than in the 
form of proof rules, and is named 'proposition algebra'. It is strictly more general 
than Boolean algebra to the extent that the classical connectives fail to be expressively 
complete in the sequential case. The four axioms for free valuation congruence are then 
\^S . combined with other axioms in order define a few more valuation congruences that 

£/") ■ gradually identify more propositional statements, up to static valuation congruence 

(which is the setting of conventional propositional logic). 

Proposition algebra is developed in a fashion similar to the process algebra ACP 
qq ' and the program algebra PGA, via an algebraic specification which has a meaningful 

f*^ , initial algebra for which a range of coarser congruences are considered important as well. 

In addition infinite objects (that is propositional statements, processes and programs 
respectively) are dealt with by means of an inverse limit construction which allows 
K^ , the transfer of knowledge concerning finite objects to facts about infinite ones while 

» I ■ reducing all facts about infinite objects to an infinity of facts about finite ones in return. 

a i 

1 Introduction 

A propositional statement is a composition of atomic propositions made by means of one 
or more (proposition) composition mechanisms, usually called connectives. Atomic propo- 
sitions are considered to represent facts about an environment (execution environment, ex- 
ecution architecture, operating context) that are used by the logical mechanism contained 
in the propositional statement which aggregates these facts for presentation to the propo- 
sitional statement's user. Different occurrences of the same atomic propositions represent 
different queries (measurements, issued information requests) at different moments in time. 
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A valuation that may return different Boolean values for the same atomic proposition 
during the sequential evaluation of a single propositional statement is called free, or in the 
case the evaluation result of an atomic proposition can have effect on subsequent evaluation, 
it is called reactive. This is in contrast to a "static" valuation, which always returns the 
same value for the same atomic proposition. Free valuations are thus semantically at the 
opposite end of static valuations, and are observation based in the sense that they capture 
the identity of a propositional statement as a series of queries followed by a Boolean value. 

Many classes of valuations can be distinguished. Given a class K of valuations, two 
propositional statements are if-equivalent if they evaluate to the same Boolean value for 
each valuation in K. Given a family of proposition connectives, i^-equivalence need not be a 
congruence, and if-congruence is the largest congruence that is contained in if-equivalence. 
It is obvious that with larger K more propositional statements can be distinguished and the 
one we consider most distinguishing is named free valuation congruence. It is this congru- 
ence that plays the role of an initial algebra for the proposition algebras developed in this 
paper. The axioms of proposition algebra specify free valuation congruence in terms of the 
single ternary connective conditional composition (in computer science terminology: if-then- 
else) and constants for truth and falsity, and their soundness and completeness (for closed 
equations) is easily shown. Additional axioms are given for static valuation congruence, and 
for some reactive valuation congruences in between. 

Sequential versions of the well-known binary connectives of propositional logic and nega- 
tion can be expressed with conditional composition. We prove that these connectives have 
insufficient expressive power at this level of generality and that a ternary connective is 
needed (in fact this holds for any collection of binary connectives definable by conditional 
composition.) 

Infinite propositional statements are defined by means of an inverse limit construction 
which allows the transfer of knowledge concerning finite objects to facts about infinite ones 
while reducing all facts about infinite objects to an infinity of facts about finite ones in 
return. This construction was applied in giving standard semantics for the process algebra 
ACP (see [5] and for a more recent overview [I]). In doing so the design of proposition algebra 
is very similar to the thread algebra of [6j which is based on a similar ternary connective but 
features constants for termination and deadlock rather than for truth and falsity. Whereas 
thread algebra focuses on multi-threading and concurrency, proposition algebra has a focus 
on sequential mechanisms. 

The paper is structured as follows: In the next section we discuss some motivation for 
proposition algebra. In Section [3] we define the signature and equations of proposition 
algebra, and in Scction|4]we formally define valuation algebras. In Scction[5]we consider some 
observation based equivalences and congruences generated by valuations, and in Sections [6][9] 
we provide complete axiomatisations of these congruences. Definable (binary) connectives 
are formally introduced in Section 1101 In Section [TT] we briefly consider some complexity 
issues concerning satisfiability. The expressiveness (functional incompleteness) of binary 
connectives is discussed in Section [T21 In Section [TS] we introduce projection and projective 
limits for defining potentially infinite propositional statements. In Section [14] we discuss 
recursive specifications of such propositional statements, and in Section [15] we sketch an 
application perspective of proposition algebra. The paper is ended with some conclusions 
in Section [T6l 
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2 Motivation for proposition algebra 

Proposition algebra is proposed as a preferred way of viewing the data type of propositional 
statements, at least in a context of sequential systems. Here are some arguments in favor of 
that thesis: 

In a sequential program a test, which is a conjunction of P and Q will be evaluated in 
a sequential fashion, beginning with P and not evaluating Q unless the evaluation of P led 
to a positive outcome. The sequential form of evaluation takes precedence over the axioms 
or rules of conventional propositional logic or Boolean algebra. For instance, neither con- 
junction nor disjunction are commutative when evaluated sequentially in the presence of 
side-effects, errors or exceptions. The absence of these latter features is never claimed for 
imperative programming and thus some extension of ordinary two- valued logic is necessary 
to understand the basics of propositional logic as it occurs in the context of imperative 
programs. Three-, four- or more sophisticated many-valued logics may be used to explain 
the logic in this case (see, e.g., [H [7j US]), and the non-commutative, sequential reading of 
conjunction mentioned above can be traced back to McCarthy's seminal work on computa- 
tion theory [20] . in which a specific value for undefinedness (e.g., a divergent computation) 
is considered that in conjunction with falsity results the value that was evaluated first. 

Importing non-commutative conjunction to two valued propositional logic means that 
the sequential order of events is significant, and that is what proposition algebra is meant 
to specify and analyze in the first place. As a simple example, consider the propositional 
statement that a pedestrian evaluates just before crossing a road with two-way traffic driving 
on the right: 

look-left- and- check ^\ look-right- and- check A look-left-and-check. (1) 

Here J\ is left-sequential conjunction, which is similar to conjunction but the left argument 
is evaluated first and upon F ("false"), evaluation finishes with result F. A valuation 
associated with this example is (should be) a free valuation: also in the case that the leftmost 
occurrence of look-left-and-check evaluates to T ("true"), its second evaluation might very 
well evaluate to F. However, the order of events (or their amount) needs not to be significant 
in all circumstances and one may still wish or require that in particular cases conjunction 
is idempotcnt or even commutative. A most simple example is perhaps 

a jA a = a 

with a an atomic proposition, which is not valid in free valuation semantics (and neither is 
the falsity of aj\ ->a). For this reason we distinguish a number of restricted forms of reactive 
valuation equivalences and congruences that validate this example or variations thereof, but 

still refine static valuation congruence. It is evident that many more such refinements can 
be distinguished. 
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We take the point of departure that the very purpose of any action taken by a program 
under execution is to change the state of a system. If no change of state results with certainty 
the action can just as well be skipped. This holds for tests as well as for any action mainly 
performed because of its intended side-effects. The common intuition that the state is an 
external matter not influenced by the evaluation of a test, justifies ignoring side-effects of 
tests and for that reason it justifies an exclusive focus on static valuations to a large extent, 
thereby rendering the issue of reactivity pointless as well. But there are some interesting 
cases where this intuition is not necessarily convincing. We mention three such issues, all of 
which also support the general idea of considering propositional statements under sequential 
evaluation: 

1. It is common to accept that in a mathematical text an expression 1/x is admissible 
only after a test x ^ has been performed. One might conceive this test as an action 
changing the state of mind of the reader thus influencing the evaluation of further 
assertions such as x/x = 1. 

2. A well-known dogma on computer viruses introduced by Cohen in 1984 (in [T^]) states 
that a computer cannot decide whether or not a program that it is running is it- 
self a virus. The proof involves a test which is hypothetically enabled by a decision 
mechanism which is supposed to have been implemented on a modified instance of 
the machine under consideration. It seems fair to say that the property of a program 
being viral is not obviously independent of the state of the program. So here is a case 
where performing the test might (in principle at least) result in a different state from 
which the same test would lead to a different outcome. 

This matter has been analyzed in detail in [9] [3] with the conclusion that the reactive 
nature of valuations gives room for criticism of Cohen's original argument. In the 
didactic literature on computer security Cohen's viewpoint is often repeated and it 
can be found on many websites and in the introduction of many texts. But there is a 
remarkable lack of secondary literature on the matter; an exception is the discussion 
in |13j and the papers cited therein. In any case the common claim that this issue 
is just like the halting problem (and even more important in practice) is open for 
discussion. 

3. The on-line halting problem is about execution environments which allow a running 
program to acquire information about its future halting or divergence. This infor- 
mation is supposed to be provided by means of a forecasting service. In [10] that 
feature is analyzed in detail in a setting of thread algebra and the impossibility of 
sound and complete forecasting of halting is established. In particular, calling a fore- 
casting service may have side-effects which leads to different replies in future calls (see, 
e.g., [22]). This puts the impossibility of effectively deciding the halting problem at a 
level comparable to the impossibility of finding a convincing truth assignment for the 
liar paradox sentence in conventional two valued logic. 

Our account of proposition algebra is based on the ternary operator conditional com- 
position (or if-then- else). This operator has a sequential form of evaluation as its natural 
semantics, and thus combines naturally with free and reactive valuation semantics. Further- 
more, proposition algebra constitutes a simple setting for constructing infinite propositional 
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(CP1) x<T\>y = x 

(CP2) x<Ft>y = y 

(CP3) T < a; > F = x 

(CP4) x<i(y<iz>u)>v — (x < y > v) < z > (a; < u > v) 

Table 1: The set CP of axioms for proposition algebra 

statements by means of an inverse limit construction. The resulting projective limit model 
can be judged as one that didactically precedes (prepares for) technically more involved 
versions for process algebra and thread algebra, and as such provides by itself a motivation 
for proposition algebra. 

3 Proposition algebra 

In this section we introduce the signature and equational axioms of proposition algebra. Let 
A be a countable set of atomic propositions a,b,c, .... The elements of A serve as atomic 
(i.e., non-divisible) queries that will produce a Boolean reply value. 

We assume that \A\ > 1. The case that |j4| = 1 is described in detail in [21]. We come 
back to this point in Section [16] 

The signature of proposition algebra consists of the constants T and F (representing true 
and false), a constant a for each a £ A, and, following Hoare in |17j . the ternary operator 
conditional composition 

We write Sep (A) for the signature introduced here. Terms are subject to the equational 
axioms in Table [1] We further write CP for this set of axioms (for conditional propositions). 

An alternative name for the conditional composition y < x > z is if x then y else z: the 
axioms CP1 and CP2 model that its central condition x is evaluated first, and depending 
on the reply either its leftmost or rightmost argument is evaluated. Axiom CP3 establishes 
that a term can be extended to a larger conditional composition by adding T as a leftmost 
argument and Fasa rightmost one, and CP4 models the way a non-atomic central condition 
distributes over the outer arguments. We note that the expression 

F<x>T 

can be seen as defining the negation of x: 

CP \- z<(F <x>T)>y — (z <F>y) <x> (z <T>y) = y <x> z, (2) 

which illustrates that "if ->x then z else y" and "if x then y else z" are considered equal. 
We introduce the abbreviation 

x o y for y <x> y, 
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and we name this expression x and then y. It follows easily that o is associative: 

(xoy)oz = z<(y<x>y)>z = (z < y > z) O x > (z <1 y > z) = x o (y o z). 

We take the and-then operator o to bind stronger than conditional composition. At a later 
stage we will formally add negation, the "and then" connective o, and some other binary 
connectives to proposition algebra (i.e., add their function symbols to T,cp(A) and their 
defining equations to CP). 

Closed terms over Sep (^4) are called propositional statements, with typical elements 
P,Q,R,.... 

Definition 3.1. A propositional statement P is a basic form if 

P ::=T\F\P 1 <aoP 2 
with a £ A, and P\ and Pi basic forms. 

So, basic forms can be seen as binary trees of which the leaves are labeled with either T 
or F, and the internal nodes with atomic propositions. Following pQ we use the name basic 
form instead of normal form because we associate the latter with a term rewriting setting. 

Lemma 3.2. Each propositional statement can be proved equal to one in basic form using 
the axioms in Table [7J 

Proof. We first show that if P, Q, R are basic forms, then P <Q> R can be proved equal to 
a basic form by structural induction on Q. If Q = T or Q — F, this follows immediately, 
and if Q = Q\ < a > Q 2 then 

CP h P < Q > R = P < (Qi < a > Q 2 ) > R 

= (P<Q 1 >R)<a\>(P<Q 2 >R) 

and by induction there are basic forms Pi for i = 1, 2 such that CP h Pi = P <\Qit>R, hence 
CP hP<K3t>i? = Pi<iai>-P2 and Pi < a > P 2 is a basic form. 

Next we prove the lemma's statement by structural induction on the form that propo- 
sitional statement P may take. If P = T or P = F we are done, and if P = a, then 
CPhP = T<ia>F. 

For the case P = P\ < P 2 > P3 it follows by induction that there are basic forms Qi, Q 2 , Q3 
with CP h Pi = Qi, so CP *r P = Qi <Q 2 > Q3. We proceed by case distinction on Q 2 : if 
Q 2 = T or Q 2 — F the statement follows immediately; if Q 2 = Ri < a > R 2 , then 

CP h P = Qi < Q 2 > Q 3 = <3i < (Ri < a > R 2 ) > Q 3 

= (Qi < i?i > Q 3 ) < a \> (Qi < i? 2 > Q3) 

and by the first result there are basic forms Si, S2 such that CP h Si = Qi < i?i > Q3. Hence 
CP h P = Si < a > S2 and Si < a > S2 is a basic form. □ 

We write 

P = Q 

to denote that propositional statements P and Q are syntactic equivalent. In Section [5] we 
prove that basic forms constitute a convenient representation: 
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Proposition 3.3. If CP \- P = Q for basic forms P and Q, then P = Q. 

4 Valuation algebras 

In this section we formally define valuation algebras. Let B be the sort of the Boolcans with 
constants T and F. The signature £ Val{A) of valuation algebras contains the sort B and a 
sort Val of valuations. The sort Val has two constants 

Tvai and Fy a i , 

which represent the valuations that assign to each atomic proposition the value T respectively 
F, and for each a G A a function 

y a : Val -4 B 
called the yield of a, and a function 

#■ : Val -)■ Va/ 
called the a-derivative. A Eyaz(^4)-algebra is thus a two-sorted algebra. 

A T,vai( A) -algebra A over Yiy a i{A) is a valuation algebra (VA) if for all a 6 A it satisfies 
the axioms 

Va(T V al) =T, 

y a (F V ai) = F, 

Q^(Tval) = Tval, 



*k(Fvai) - F 



Val- 



Given a valuation algebra A with a valuation H (of sort Val) and a propositional statement 
P we simultaneously define the evaluation of P over H, written 



P/H, 

■on r7f\r\ n/^+i/^n at on n _*H ornro fnrci t/~it" •r\r"i"ir"\i'~\oi^~i Anol o^~ a T"f"imnnf" () T~i/~i+cif"ii'^"n . , 

9Q V 



and a generalized notion of an a-derivative for propositional statement Q, notation -A^{H) 



by the following case distinctions: 

T/H = T, 
F/H = F, 
a/H = y a (H), 

'P/£j(H) if Q/H = T, 
R/&j(H) if Q/H = F, 



(P<Q>R)/H- ^ r> „ 



and 



Qjr(H) = H, 



d (tt\ _ J SPVSQ 

d(P<QoR.) ( > \ d I d 



H^(H)) HQ/H = T, 
m (^(H)) UQ/H = F. 
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Some explanation: whenever in a conditional composition the central condition is an atomic 
proposition, say c, then a valuation H distributes over the outer arguments as ■§- (H) , thus 



P/§- c (H) if y c (H)=T 
Q/HH) if Vc(H) = F 



{P<c>Q)/H=l'X f ' ./)' ' (3) 



If in a conditional composition the central condition is not atomic, valuation decomposes 
further according to the equations above, e.g., 

r a * w W f'/mkajW i£(b<od)/H = T, 

(a<(b<c>d)>e)/H = < a (°^> a ) 

V/od^iH) i£(b«c>d)/H = F, 

(a/-§- b (JL(H)) if y c {H) = T and y b (-§- c (H)) = T, 
*/UU H )) if Vc(H) = F and y d (^(F)) = T, 
e/l(|W) if l/c(ff) = T and W (&(f0) = F, 

^/MU H )) if y c ( ff ) = F and w(^W) = ^ 



(4) 



We compare the last example with 

((a <b>e) <c> (a<d>e))/H, (5) 

which is a particular instance of ((3]) above. For the case y c {H) = T we find from ((3J that 



•-^»*n-timiX:l 



and for the case y c (H) = F we find the other two right-hand sides of Q. In a similar way 
it follows that 



d (tt\ _ a 



V") ~~ d(a<i(b<a>d)>e)y-™)' 



d((a<lbt>e)<ia>(a<dt>e)) *> ' 9(a<j(6<lc[>d)>e) 

thus providing a prototypical example of the soundness of axiom CP4 of CP. Without 
(further) proof we state the following result. 



Theorem 4.1 (Soundness). If for propositional statements P and Q, CP \~ P = Q, then 
for all VAs A and all valuations H £ A, P/H = Q/H and -§p{H) = -^L(H). 

Proof. Let A be some VA and H £ A. It is an easy exercise to show that an arbitrary 

d _ d 

OP ~ dQ- 



instance P — Q of one of the axioms in CP satisfies P/H = Q/H and -§p = -§q- D 



We note that CP \- P = Q =>• -Mp(H) = -gL(H)) ensures that the congruence property 
is respected, e.g., if for some H,T = P/H = Q/H, then 

(R < P > S)/H = R/-§p{H) = R/-^(H) = {R«Qt> S)/H 

and d{R<P>S) ( H ) = dR(dp( H )) = 8r('Bq( 11 )) = d(R<Q>S)( H )- 
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5 Valuation varieties 

We introduce some specific equivalences and congruences generated by classes of valuations. 
The class of VAs that satisfy a certain collection of equations over T,y a i(A) is called a 
valuation variety. We distinguish the following varieties, where each next one is subvariety 
of the one defined: 

1. The variety of VAs with free valuations: no further VA-equations than those defined 
in Section |U 

2. The variety of VAs with repetition-proof valuations: all VAs that satisfy for all a £ A, 

Va{x) =y Q (^(»). 

So the reply to a series of consecutive atoms a is determined by the first reply. 
Typical example: (P < a > Q) < a > (R <d a > S) — (a o P) < a > (a o S). 

3. The variety of VAs with contractive valuations: all repetition-proof VAs that satisfy 
for all aei, 

&(&(*)) = &(*)• 

Each successive atom a is contracted by using the same evaluation result. 
Typical example: (P <a>Q) <at> (R<a> S) — P <a> S. 

4. The variety of VAs with weakly memorizing valuations consists of all contractive VAs 
that satisfy for all a, b 6 A, 

Here the evaluation result of an atom a is memorized in a subsequent evaluation of a 
if the evaluation of intermediate atoms yields the same result, and this subsequent a 
can be contracted. 

Two typical examples are 

((P < a > Q) < & > R) < a > 5 = (P o 6 > R) < a > 5, 
P<]ai>(Q<&>(iT'.<ci>(5<]ai> V))) = P < a > (Q < 6 > (R < c> V)). 

The case in which there are two intermediate atoms is discussed in Section [7J 

5. The variety of VAs with memorizing valuations: all contractive VAs that satisfy for 
all a, b 6 A, 

£(&(£(*))) = &(£(*)) A »-(&(&(*))) = ¥.(*)• 

Here the evaluation result of an atom a is memorized in all subsequent evaluations of 
a and all subsequent a's can be contracted. 

Typical axiom (right-oriented version): 

x <y > (z <u> (v <y > w)) =x<y>(2:<iu[>w). 
Typical counter-example: a<fe[>P^&<ia>P (thus b J\ a j^ a ^ b). 
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6. The variety of VAs with static valuations: all VAs that satisfy for all a, b G A, 

'±1 



Va(Sb( X )) =Va(x) 



This is the setting of conventional propositional logic. 

Typical identities: a = b o a and a<\bt>F = b<ia>F (thus b J\ a = a J\ b). 

Definition 5.1. Let K be a variety of valuation algebras over A. Then propositional state- 
ments P and Q are K -equivalent, notation 

P=kQ, 

if P/H = Q/H for all A G K and H G A. Let =k be the largest congruence contained in 
=k- Propositional statements P and Q are K -congruent if 

P=kQ- 

So, by the varieties defined thus far we distinguish six types of F-equivalence and in- 
congruence: free, repetition-proof, contractive, weakly memorizing, memorizing and static. 
We use the following abbreviations for these: 

K = fr, rp, cr, wm, mem, st, 

respectively. A convenient auxiliary notation in comparing these equivalences and congru- 
ences concerns the valuation of strings: given a VA, say A, a valuation H G A can be 
associated with a function Hf : A + — » B by defining 

H f (a)=y a (H) and H f (aa) = (£(H)) f (<j). 

Proposition 5.2. The inclusions =f r C = rp C = cr C = wm C = mem C = st; and =k Q =k 
for K G {fr, rp, cr, wm, mem} are all proper. 

Proof. In this proof we assume that all VAs we use satisfy T ^ F. We first consider the 
differences between the mentioned equivalences: 

1. a = rp a<a>F, but =f r does not hold in this case as is witnessed by a VA with valuation 
H that satisfies H f (a) = T and H f (aa) = F (yielding a/H = T and (a<a>F)/H = F). 

2. b < a > F = cr b < (a < a > F) > F, but = rp does not hold in the VA with element H with 
H f (a) = H f (ab) = T and H f (aab) = F. 

3. (a < b > F) < a > F = wm b<a> F, but = cr does not hold in the VA with element H with 
H f (a) = Hf(ab) = T and H f (aba) = F. 

4. (T < b > (F < a > T)) < a > F = mem b < a > F, but = Mm does not hold in the VA with 
element H with H/(a) = T and H f (ab) = H f {aba) = F. 

5. a = s t ao6i>a (distinguish all possible cases), but = mem does not hold as is witnessed by 
the VA with element H with F/(a) = H f (b) = T and H f (ba) = F (yielding a/F = T 
and (a< b>a)/H = F). 
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Finally, for K £ {fr, rp, cr, wm, mem}, T = K T <a>T, but b<T >T ^ K b < (T <a>T) > T 
as is witnessed by the VA with element H with Hf(a) — Hf(b) — T and Hf(ab) = F. □ 

The following proposition stems from [24] and can be used to deal with the difference 
between ^-congruence and if-equivalence. 

Proposition 5.3. If P = K Q and for all A £ K and H £ A, -§p{H) = -^(H), then 
P=kQ- 

Proof. Assume P =k Q and the further requirement in the proposition is satisfied. Since 
—k is defined as the largest congruence contained in =k, P =k Q if for all S and R the 
following three cases are true: 

P<S>R= K Q<St>R, 
S<\P>R= K S<\Q>R, 

S<R\>P= K S<Rt>Q. 



The first and last case follow immediately. For the middle case, derive 
(S<P>R)/H = 



S/-§p{H) if P/H = T, 



R/-§p(H) if P/H = F, 

(S/£j(H) HQ/H = T, 
\R/-fe(H) if Q/H = F, 
(S<Q>R)/H. 



□ 



6 Completeness for = rp and = cr 

In this section we give complete axiomatizations of repetition-proof valuation congruence 
and of contractive valuation congruence. We start with a basic result on free valuation 
congruence of basic forms. 

Lemma 6.1. For all basic forms P and Q, P =f r Q implies P = Q. 

Proof. We prove the lemma by structural induction on P and Q. 

If P = T then if Q = T there is nothing to prove. If Q = F then P y^f r Q (consider a VA 
in which T ^ F). If Q = Qi <a> Qi then consider a VA with T ^ F and with an element 
H that satisfies yb(Ft) = T and yb{-^s{-§-{H))) = F for all R. Assume T =f r Q, then also 
(To 6) =fr ((Q 1 «a>Q 2 )ob) and hence (Tob)/H = T while (Qob)/H = y b (^-(£(H))) = F 
which is a contradiction, hence T ^/ r Q. 

If P = F a similar argument applies. 

If P = P\ < a > Pi then the cases Q = T and Q = F can de dealt with as above. If 
Q = Qi<\b>Q2 we find for a = b by induction the desired result, and otherwise consider a VA 
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with T j£ F and with an element H that satisfies y a (H) = y b (H) = T, Va{^ R i.-§^{H))) = F 
and y a (-^{-§s( H ))) = T for a11 R - Assume P = fr Q, then also (P o a)/H = (Q o a)/H 
and hence F — y a (-^-(-^(H))) = Va{-^k-{§^{F[))) = T, which is a contradiction, hence 
P^frQ- " " ' ' □ 

As a corollary we find a proof of Proposition 13.31 i.e., for basic forms, provable equality 
in CP and syntactic equality coincide: 

Proof of Proposition \3.S\ By soundness (Theorem 14. ip it is sufficient to prove that for all 
basic forms P and Q, P =f r Q implies P = Q, and this is proved in Lemma 16.11 □ 

It now easily follows that CP axiomatizes free valuation congruence: 

Theorem 6.2 (Completeness). If P =f r Q for propositional statements P and Q, then 
CPhP = Q. 

Proof. Assume P =f r Q. By Lemma [3~2l there are basic forms P' and Q' with CP h P = P' 
and CP h Q = Q' . By soundness, P' =/ r Q' and by Proposition 13.31 P' = Q' . Hence, 
CPhP^Q. D 

We proceed by discussing completeness results for the other valuation varieties introduced 
in the previous section. 

Theorem 6.3. Repetition-proof valuation congruence — rp is axiomatized by the axioms in 
CP (see Table\jty and these axiom schemes (a 6 A): 

(CPrpl) [x <a\> y) <a\> z — (x <at> x) <la> z, 

(CPrp2) a;<iai>(y<a>z) = x <ia> (z <a> z). 

Proof. Let A be a VA in the variety rp of repretition-proof valuations, thus 

Concerning soundness, we only check axiom scheme CPrp2 (the proof for CPrpl is very 
similar): let H e A, then 



f p/JL(m 
ia>(Q<a>R))/H=\ / da{ '_ 
W " f \(Q<a>R)/JL\ 



(/> MM (() l-M /?))'// I ' ' '"'"" , if ^(^) T > 

] " " 8 ;(H) if y a (H)=F, 



= \p/f a (H) if y a (H)=T, 

\R/KlH)) ify a (H) = F = y a (f a (H), 

= (P<a>{R<a\>R))/H, 
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and 

9(P<at>(Q<at>fl)) (•") = ) d I d 



m ^ m (l(H)) iiy a (H)=F, 



d 



[dB, 



(£(£*))) Uy a (H) = F = y a (JL(H), 



~ d{P<at>(R<at>R))\^)- 

In order to prove completeness we use a variant of basic forms, which we call rp-basic 
forms, that 'minimizes' on repetition-proof valuation congruence: 

• T and F are rp-basic forms, and 

• Pi o a > P 2 is an rp-basic form if Pi and P-i are rp-basic forms, and if Pi is not equal 
to T or F, then either the central condition in Pi is different from a, or Pi is of the 
form ao P' with P' an rp-basic form. 

Each propositional statement can in CP rp be proved equal to an rp-basic form (this follows 
by structural induction). For P and Q rp-basic forms, P = rp Q implies P = Q. This follows 
in the same way as in the proof of Lemma 16.11 

Assume P — rp Q, so there exist rp-basic forms P' and Q' with CP rp h P = P' and 
CP rp \- Q = Q' . By soundness, P' =/ r Q' and as argued above, P' = Q' '. Hence, CP rp h 
P = Q. * D 

Theorem 6.4. Contractive valuation congruence = cr is axiomatized by the axioms in CP 
(see Table[l\) and these axiom schemes (a G A): 

(CPcrl) (x<Ja>y)<ia>z — x <\a> z, 

(CPcr2) x < a > (y <a> z) = x <l a > z. 

These schemes contract for each a £ A respectively the T-case and the F-case, and 
immediately imply CPrpl and CPrp2. 

Proof. Let A be a VA in the variety cr of contractive valuations, i.e., for all a£4, 

UK*)) = &(*) and y a (x)=y a (l(x)). 

Concerning soundness we only check axiom scheme CPcrl: let H e A, then 



((P< 



; " WtK#) if2/ a (if)=F, 



jP/&(fO ify a (F)=T = 2/a (| r ( J ff)), 
\R/&(£0 i£y a (H)=F, 
(P<a>R)/H, 



7 COMPLETENESS FOR = WM 14 



and 

= /&(&(&(*))) if v*W = T = y.(£(&W)), 

= /&(&(ff)) iiy a (H) = T = y a (l(H)), 
\m(l(H)) Hy a (H) = F, 

In order to prove completeness we again use a variant of basic forms, which we call 
cr-basic forms, that 'minimizes' on contractive valuation congruence: 

• T and F are cr-basic forms, and 

• Pi < a > P2 is a cr-basic form if Pi and P2 are cr-basic forms, and if Pi is not equal to 
T or P, the central condition in P, is different from a. 

Each prepositional statement can in CP cr be proved equal to a cr-basic form (this follows 
by structural induction). For P and Q cr-basic forms, P = cr Q implies P = Q. This follows 
in the same way as in the proof of Lemma 16.11 

Assume P — cr Q, so there exist cr-basic forms P' and Q' with CP cr h P = P' and 
CP cr \- Q = Q'. By soundness, P' = cr Q' and as argued above, P' = Q'. Hence, CP cr h 
P = Q. D 



7 Completeness for =, 



In this section we give a complete axiomatization of weakly memorizing valuation congru- 
ence. 

Theorem 7.1. Weakly memorizing valuation congruence — wm *s axiomatized by the axioms 
in CP cr and these axiom schemes (a,b € A): 

(CPwml) {{x oai> y) <b> z) oa> v = (x < b > z) < a> v, 

(CPwm2) x <at> (y <ib> (z <a> v)) = x <a> (y <b> v) 

We write CP wm for this set of axioms. 

Before giving a proof we discuss some characteristics of CP mm . We define a special type 
of basic forms. 

Let P be a basic form. Define pos(P) as the set of atoms that occur at left-hand (positive) 
positions in P: pos(T) = pos(F) = and pos(P <a>Q) — {a} Upos(P), and define neg(P) 
as the set of atoms that occur at right-hand (negative) positions in P: neg(T) — neg(F) = 
and neg(P <a> Q) — {a} U neg(Q). 

Now u;m-basic forms are defined as follows: 
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• T and F are wm-basic forms, and 

• P <a>Q is a wm-basic form if P and Q are wm-basic forms and a g - pos(P) U neg(Q). 

The idea is that in a wm-basic form, as long as the evaluation of consecutive atoms keeps 
yielding the same reply, no atom is evaluated twice. Clearly, each wm-basic form also is a 
cr-basic form, but not vice versa, e.g., T < a > (T < b > (T < a > F)) is not a wm-basic form 
because a 6 neg(T <b> (T < a > F)). A more intricate example is one in which a and 6 
"alternate" : 

(T <a 6 > [(F < & > (T < a > F)) < a > T]) < a > F 

is a wm-basic form because pos(T < b > [(F <i 6 i> (T <i a > F)) < a > T]) = {&} ^ a and 
T <b> [(F < 6 > (T < a > F)) < a > T] is a tOTn-basic form, where the latter statement follows 
because neg((F <b> (T <a\> F)) <d a > T) = {a} ^ b and because F < b > (T < a > F) is clearly 
a wm-basic form. 

Proposition 7.2. For each propositional statement P there is a wm-basic form P' with 
CP wm r P = P . 



Proof. By Proposition l3.3l we may assume that P is a basic form and we proceed by structural 
induction on P. If P = T or P = F we are done. Otherwise, P = Pi < a > F2 and we may 
assume that Pj are wm-basic forms (if not, they can proved equal to wm-basic forms). We 
first consider the positive side of P. If a £ pos(P\) we are done, otherwise we saturate P\ 
by replacing each atom b ^ a that occurs in a positive position with (a<ib> F) using axiom 
CPwml. After this way we can retract each a that is in pos(P\) (also using CPcrl) and end 
up with P[ that does not contain a on positive positions. For example, 

(((T <a>R)<b>S)<c>V)<ia>P2 
= (((T < a > R) < (a < b > F) > S) < (a < c> F) > V") < a > F 2 
= (((((T <a>F)<]a[>S)«&>S)<]ai>T/)<]ci>T/)<]a[>P2 
= (((T <b>S)<at>V)<coV)<at>P 2 
= ((T<b>S)<c>V)<a>P 2 . 

Following the same procedure for the negative side of P (saturation with (T < 6 > a) for 
all b 7^ a etc.) yields a wm-basic form P[<a> P' 2 with CP mm h P = P{ < o > P2. D 

We state without proof: 
Proposition 7.3. For all wm-basic forms P and Q, P = wm Q implies P = Q. 



Proof of Theorem \7.1\ Let A be a VA in the variety wm of weakly memorizing valuations, 
thus for all a, 6 G A, 
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and all equations for contractive valuations hold in A. The soundness of axiom CPwml and 
CPwm2 follows immediately. We prove the latter one: let H 6 A, then 

(P<a>(Q<b>(Z<a> V)))/H 

'P/£(H) if y a (H)=T, 

QlU-tW) if VaiH) = F and y b (^(H)) = T, 

(Z<a>V)/-§- b (£(H)) i£ y a (H)=F and y b (&(H)) = F, 

'P/£(H) if y a (H) = T, 

Q/UU H )) if Va{H) = F and y b (&(H)) = T, 

[V/f b (£(H)) if y a (H) = F and 2/ 6 (£(#)) = F, 

= (P<a>(Q<b>V))/H, 

and d(P<a>(Q<b>(Z<a>V))) (•" ) 

"&(&(#)) if Vo (ff)=T, 

&(&(&(#))) if *«(#) = F and y>(m(H)) = T, 
3izLv)(UU H ))) if y«( H ) - F and w(&(ff)) = ^ 

&(&(#)) ifv„(JET)=r, 

MUU H ))) if y Q (ff) - P and ift(&(H)) = r, 

&(&(&(#))) if y«( ff ) = ^ and vb(ii(H)) = f, 



d{P<la>(Q<bt>V)) 



(H). 



In order to prove completeness assume P = wm Q. By Proposition 17.21 there are wm- 
basic forms P' and Q' with CP wm hF = P', Q = Q' ■ By soundness P' = wm Q 1 and by 
Proposition El P' = Q', and thus CP„ m h P = Q. D 



8 Completeness for = mem 

In this section we provide a complete axiomatization of memorizing valuation congruence. 

Theorem 8.1. Memorizing valuation congruence = mem is axiomatized by the axioms in 
CP (see Table{l\l and this axiom: 

(CPmem) x <sy > (z <u> (v <y > w)) — x <y > (z <u> w). 

We write CP mem for this set of axioms. 

Before proving this theorem, we discuss some characteristics of CP mem . Axiom CPmem 
defines how the central condition y may recur in an expression. This axiom yields in combi- 
nation with CP some interesting consequences. First, CPmem has three symmetric variants, 
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which all follow easily with x <y\> z = z <\{F <y\>T)\> x (— z < ->y > x): 

x < y > ((z <y > u) <v > w) =x<y>(w<w> iy), (6) 

(x < y > (2 < u > u)) < u > it) = (x < y > z) < u > iy, (7) 

((x < j/ > z) < u > w) < y > id = (x < u > w) < y > u>. (8) 

The axioms of CP mem imply various laws for contraction: 

X<y>(v<y>w) — x <y > w; (take u = P in CPmem), (9) 

x <y > (T <\u> y) — x <y > u (take z = v = T and w = F in CPmem), (10) 

(x < y > z) < y > u = x < y > u, (11) 

(x<2/ I> -P 1 ) <];rI>z = J/ <la;I>2; : (12) 

and thus (take v — T and it) = F in (J9)), respectively x — T and 2 = F in (fTTj) ). 

x<yt>y = x<y>F and y<y>u~T<iy>u. 
The latter two equations immediately imply the following very simple contraction laws: 

x<\xt>x = x<xt>F = T<ixt>x = T<ixt>F = x. 

Let A' be a finite subset of A. We employ a special type of basic forms based on A': 
mem-basic forms over A' are defined by 

T,F, 

P <a\> Q ii a £ A and P and Q are mem-basic forms over A \ {a}. 

E.g., for A' — {a} the set of all mem-basic forms is {bv, bv <a>bv' \ bv, bv' e {T, F}}, and 
for A' = {a, 0} it is 

{bv, t\ < a > £2, £3 < b> t& I 6w G {T, F}, t\, t% mem-basic forms over {6}, 

£3,^4 mem-basic forms over {a}}. 

Proposition 8.2. For each propositional statement P there is a mem-basic form P' with 

v^-T mem \ r r . 



Proof. By Proposition l3.3l we may assume that P is a basic form and we proceed by structural 
induction on P. If P = T or P = F we are done. Otherwise, P — P\ < a > P 2 . 

We first show that 

CP mem h Pi < a > P 2 = Pi [T/o] < a > P 2 

by induction on Pi : if Pi equals T of F this is clear. If P x = Q < a > i? then CP h Pi [T/o] = 
Q[T/a] and we derive 

Pi < a > P 2 = (Q <a a > P) <3 a > P 2 

7 = (g[P/a]<al>i?)<aC>P 2 

© Q[T/a]<at>P 2 

= P 1 [T/a]<a>P 2 , 
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and if Pi = Q < b > R with b^a then CP h Pi [T/a] = Q[T/a] <b> R[T/a] and we derive 

Pi < a > P 2 = (Q < & > F) < a > P2 

0© 



((Q < a > T) < b > (J? < a > T)) < a > P 2 



7 = ((Q[T/o] <a a > T) « 6 > (R[T/a\ <at>T))<a>P 2 



(Q[T/a] <b> R[T/a\) <ia>P 2 
Pi[T/a]<la>P 2 . 

In a similar way, but now using (J9J), axiom CPmem and ([6]) instead, we find CP mem h 
Pi < a > P 2 = Pi < a > P 2 [P/a] , and thus 

CP mem h Pi < a > P 2 = Pi [T/a] < a > P 2 [P/a] . 

Finally, with axioms CP1 and CP2 we find basic forms Qi in which a does not occur with 
CP mem h Qi = Pi [T/a] and CP mem h Q 2 = P 2 [F/a] . * D 

We state without proof: 
Proposition 8.3. For all mem-basic forms P and Q, P = mem Q implies P = Q. 



Proof of Theorem \8.1\ Let A be a VA in the variety mem of memorizing valuations, i.e., for 
all a, b G A, 

&(&(£(*))) = &(£(*)) A ».(&(£(*))) = ».(*). 

and all equations for contractive valuations also hold in A. In order to prove soundness we 
use the following generalization of these equations, which can easily be proved by structural 
induction on Q: for all propositional statements P, Q, R, S and valuations H G A, 

&(&{&&))) = &(&m and q/MM h )) = QI h - ( 13 ) 

If Q = a, then apply induction on P: the cases P = T and P = F are trivial, and if P = b 
then (H3J) follows by definition. If P = Pi < P 2 > P 3 then if P 2 /-§ 7i {H) = T, 

9^(9(Pi<p 2 >p 3 )(dJr( )" = a^apvapl';^' ■")))) 

= a^vap7(a^(ap^(a^(-"))))J 
= SpTVa^lap^v as (•")))) 

_ a 

a(Pi<p 2 i>p 3 ) 

and 

a / a 



(£(*0). 



a /a(p 1 <p 2 >p 3 )(a^(- ff )) = a /dpSap;id^i H )y) 



a/P, 
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19 



and if P?/ -j^{H) = F a similar argument applies. 

If Q = Q\ < Qi > Q3 then first assume Q2/H = T, so 

dQy~dP\~dQ (-"))) = aor(a(PoQ 2 )(aQr(aQj(-")))) 



d{PoQ 2 ) (aQTVaoJ (■"))) 



and (Qi<Q2>Q 3 )/&(^(H)) = Q 1 / B _| g _( 3 |_( 3 |_(jy)) = Qi/jfeiH) = Q/P. Finally, 
if Q2I U — Fa. similar argument applies. 



We find by (fT3|) for Q/i? = F and propositional statements F, W 7 , S 1 that 
(y<Q>^)/^(^(ff)) =W7^(^(if)) and d{v ° Q>w) (&(&(#))) = gw(^(^( ff )))- 
Now the soundness of axiom CPmem follows immediately: 



(P«Q[>(P«S[>(y«Q> W)))/H 



if Q/H = T, 

if Q/H = F and S/-^(H) = T, 



[(V<Q» W)/£(^(H)) if Q/ff - F and S/^(H) = F, 



'P/^(H) 



if Q/H = T, 



and 



R/M&V 1 )) XQ/H = F and S/^(H)=T, 
W /MM H ^ *Q/H = F and S/-fe(H)=F, 

= (P<Qt>(R<S>W))/H 1 

;(H) 



d{P<Q>(R<S>(V<Q>W))) ' 






if Q/H = T, 

if Q/H = F and S/J^{H) = T, 
a^dWI^™ H Q/H = F and S/JL(H)=F } 

a 1 a 



if Q/H = T, 



MUmt H ))) ifQ/H = Fand5/^(H) = F. 



OR^dS^ dQ 
d 
9Q 



IMMmW)) if Q/P = F and S/^(P) = F, 



s(p<q>(.r<S[>wo) 



(P). 



In order to prove completeness assume P = mem Q. By Proposition 18.21 there are mem- 
basic forms P' and Q' with CP mem hP = P', Q = Q'. By soundness, P' = mem Q' , and by 
Proposition H31 P' = Q', and thus CP mem h P = Q. □ 
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9 Completeness for 



st 



In this section we provide a complete axiomatization of static valuation congruence. 

Theorem 9.1 (Hoare 17 ). Static valuation congruence — st is axiomatized by the axioms 
in CP (see Tabled and these axioms: 

(CPstat) (x < y > z) < u > V — (x < u > v) < y > (z < u > u), 

(CPcontr) (x<iy>^)<i2/i>ii = x<iy>w. 

W^e write CP s t for this set of axioms. 

Observe that axiom CPcontr equals the derivable identity (fTTj) which holds in CP mem . 
Also note that the symmetric variants of the axioms CPstat and CPcontr, say 

(CPstat') x < y > (z < u > u) = (a; < y > z) < m > (x < y > v), 
(CPcontr ) xo?/i>(z<ij/i>u)=a;<it/t>u, 

easily follow with identity ([2]), i.e., ?/<ixi>2: = z<i(_F<a;>r)i>y, which is even valid in free 
valuation congruence, and that CPcontr' = |9]). Thus, the axiomatization of static valuation 
congruence is obtained from CP by adding the axiom CPstat that prescribes for a nested 
conditional composition how the order of the first and a second central condition can be 
changed, and a generalization of the axioms CPcrl and CPcr2 that prescribes contraction 
for terms (instead of atoms). Moreover, in CP s t it can be derived that 

x = {x<\y\>z)<\F>x 
— (x < F > x) < y > (z < F > x) 
= x < y > x 

= !/", 

thus any 'and-then' prefix can be added to (or left out from) a propositional statement while 
preserving static valuation congruence, in particular x<ix>x = xox = x. 



Proof of Theorem \9.1\ Soundness follows from the definition of static valuations: let A be 
a VA that satisfies for all a, b e A, 

ya(-§b( x )) =Va(x). 

These equations imply that for all P, Q and H e A, 

P/H = P/£,(H). 

As a consequence, the validity of axioms CPstat and CPcontr follows from simple case 
distinctions. Furthermore, Hoare showed in |17) that CP s t is complete for static valuation 
congruence. 

For an idea of a direct proof, assume P — st Q and assume that the atoms occurring in P 
and Q arc ordered as ai, ..., a n . Then under static valuation congruence each propositional 
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-T = F (15) 

^F = T (16) 

— < — i3J = a; (17) 

-■(a; < y > z) = -ia; < y > ^z (18) 

a: < -ij/> z = z <iy >a; (19) 

Table 2: Some immediate consequences of the set of axioms CP and equation (|14p 

statement containing no other atoms than ai,...,a n can be rewritten into the following 
special type of basic form: consider the full binary tree with at level i only occurrences of 
atom Oj (there are 2 l_1 such occurrences), and at level n + 1 only leaves that are either T 
or F (there are 2™ such leaves). Then each series of leaves represents one of the possible 
propositional statements in which these atoms may occur, and the axioms in CP mem arc 
sufficient to rewrite both P and Q into exactly one such basic form. For these basic forms, 
static valuation congruence implies syntactic equivalence. Hence, completeness for closed 
equations follows. □ 

As an aside, we note that the axioms CPcontr and CPcontr' immediately imply CPcrl 
and CPcr2, and conversely, that for y ranging over closed terms, these axioms are derivable 
from CP + CPstat+CPcrl + CPcr2 (by induction on basic forms), which proves completeness 
for closed equations of this particular group of axioms. 

10 Adding negation and definable connectives 

In this section we formally add negation and various definable connectives to CP. As stated 
earlier (see identity (J2J), negation ->x can be defined as follows: 

-,x = F«x\>T (14) 

The derivable identities in Table [2] play a role in the derivable connectives that we discuss 
below. They can be derived as follows: 



(TT5D follows from -T = F <T >T = F, 

(|16|) follows in a similar way, 

(|T7|) follows from -.-.a; = F <(F <x>T)\>T = (F <F>T) <x> (F <T>T) = T <x> F = x, 

l|18p follows in a similar way, 

(119|) follows from x < _i y > z — (z < F > x) <—*y> (z <\T > x) — z <[F <->y>T)> x — z oy> x. 
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x J\ y = y <x > F x o— » y = y <\x\>T 

x t^y = x <y t> F x — J-o y = T <y > ->x 

xvy = T<x>y x oh y = y < x > —y 

x V y = T <y> x x <H>o y = x <y > ->x 

Table 3: Defining equations for derived connectives 

A definable (binary) connective already introduced is the and then operator o with defin- 
ing equation x o y = y <X>y. Furthermore, following j3] we write 

for left-sequential conjunction, i.e., a conjunction that first evaluates its lefthand argument 
and only after that is found T carries on with evaluating its second argument (the small 
circle indicates which argument is evaluated first). Similar notations are used for other 
sequential connectives. We provide defining equations for a number of derived connectives 
in Tabled 

The operators ^\ and left-sequential disjunction V are associative and the dual of each 
other, and so are their right-sequential counterparts. For ^\ a proof of this is as follows: 

(x ^\ y) J\ z — z<(y<x>F)>F 

= (z < y > F) < x > (z < F > F) 
= (y J\ z) <xt> F 
= x ^ (y <^ z ), 
and (a sequential version of De Morgan's laws) 

-i (a: J\y) = F<(y<xt>F)t>T 

= (F<y>T)<x>(F<iF\>T) 
= —>y < x > T 
= T < -ix > ~>y 
= -ii v -ty. 

Furthermore, note that T ^\ x = x and x J\ T = x, and Fvx = x and x\/F = x. 

Of course, distributivity, as in (x ^\ y) V z = (iv z) £\ (y V z) is not valid in free valuation 
congruence: it changes the order of evaluation and in the right-hand expression z can be 
evaluated twice. It is also obvious that both sequential versions of absorption, one of which 
reads 

x = z/\> (x\f y), 

are not valid. Furthermore, it is not difficult to prove in CP that o-h> and f>o (i.e., the two 
sequential versions of bi-implication defined in Table [3]) are also associative, and that o— > 
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and — >o are not associative, but satisfy the sequential versions of the common definition of 
implication: 

X o— »• y = -ix V y and x — >o y = -\x v y. 

From now on we extend Y^cp(A) with the "and then" operator o, negation and all derived 
connectives introduced in this section, and we adopt their defining equations. Of course, it 
remains the case that each propositional statement has a unique basic form (cf. Lemma l3.2j) . 

Concerning the example of the propositional statement sketched in Example ([T]) in Sec- 
tion m 

look-left- and- check J\ look-right- and- check J\ look-left- and- check 

indeed precisely models part of the processing of a pedestrian planning to cross a road with 
two-way traffic driving on the right. 

We end this section with a brief comment on these connectives in the setting of other 
valuation congruences. 

• In memorizing valuation congruence, which we call Memorizing logic, the sequential 
connective j\ has the following properties: 

1. The associativity of </\ is valid, 

2. The identity x^\y^\x — x^\yis valid (by equation ([T2")l ). 

3. The connective ^\ is not commutative. 

• In static valuation congruence, all of ^\ , V , /^ and V are commutative and idempotent. 
For example, we derive with axiom CPstat that 

xJ\y = y<x>F = (T<yt>F)<x>F = (T <x> F) <y> (F <x> F) — x<y>F — yj\x, 

and with axiom CPcontr and its symmetric counterpart CPcontr , 

!V3; = r<i:>j: = r<l3;l>(T<l3;l>f) =T<x>F = x, 
x ( f\x = x<ixt>F = (T<ixt>x)<ixt>F = T<ixt>F = x. 

As a consequence, the sequential notation of these connectives is not meaningful in 
this case, and distributivity and absorption hold in static valuation congruence. 

11 Satisfiability and complexity 

In this section we briefly consider some complexity issues. Given a variety K of valuation 
algebras, a propositional statement is satisfiable with respect to K if for some non-trivial 
A € K (Tvai and Fy a i are different) there exists a valuation H € A such that 

P/H = T. 



11 SATISFIABILITY AND COMPLEXITY 24 

We write 

SAT K (P) 
if P is satisfiablc. We say that P is falsifiable with respect to K, notation 

FAL^(P), 

if and only if a valuation H G A 6 K exists with P/H = F. This is the case if and only if 
SAT K (F<P>T). 

It is a well-known fact that SAT st is an NP-complete problem. We now argue that SAT/ r 
is in P. This is the case because for =f r , both SAT/ r and FAL/ r can be simultaneously 
defined in an inductive manner: let a <G A and write -iSAT/ r (P) to express that SAT/ r (P) 
does not hold, and similar for FAL/ r , then 

SAT /r (T), -.FAL /r .(T), 

-.SAT>(F), FAL fr (F), 

SATjv(a), FAL /r (a), 



and 



'SAT /r (Q) and SAT /r (P), 
SAT fr (P <Qi>R) if { or 

_FAL /r (g) and SAT fr (R), 



{SAT fr (Q) and FAL /r (P), 
or 
FAL fr (Q) and FAL fr (R). 

Hence, with respect to free valuation congruence both SAT/ r (P) and FAL/ r (P) are com- 
putable in polynomial time. In a similar way one can show that both SAT rp and SAT cr 
are in P. 

Of course, many more models of CP exist than those discussed in the previous sections. 
For example, call a valuation positively memorizing (Pmem) if the reply T to an atom is 
preserved after all subsequent replies: 

x < a > y = [T/a]x <a> y 

for all atomic propositions a. In a similar way one can define negatively memorizing valua- 
tions (Nmem): 

x <a> y = x <a> [F/a]y. 

Contractive or weakly memorizing valuations that satisfy Pmem (Nmem) give rise to new 
models in which more propositional statements are identified. 
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Theorem 11.1. For K G {Pmem, cr+Pmem, wm+Pmem, Nmem, cr+Nmem, wm+Nmem} 
it holds that SAT^- is NP-complete. 

Proof. We only consider the case for Pmem. Then 

SAT si (</>) = SAT mem (0) = SAT Pmem (0 J\ ... J\ 0), 

where </> is repeated n + 1 times with n the number of atoms occurring in <j). Each time a <j) 
evaluates to T while it would not do so in — mem , this is due to some atom that changes the 
reply. So, this must be a change from F to T, because T remains T by =p m em- Per atom 
this can happen at most once, and if each (f> yields T, then at least once without an atom in 
between flips. But then (f> is also satifiable in = mem . □ 

For K e {cr+Pmem, wm+Pmem, cr+Nmem, wm+N mem}, each closed term can be 
written with T, F, -i, ^\ and V only. For example in cr+Pmem: 

x <a> y = (a J\ x) V (-ia J\ y) 

because after a positive reply to a and whatever happens in x, the next a is again positive, 
so y is not evaluated, and after a negative reply to a, the subsequent a gets a negative reply 
because of cr, so then y is tested. So here we see models that identify less than — m em and in 
which each closed term can be written without conditional composition. At first sight, this 
cannot be done in a uniform way (using variables only), and it also yields a combinatoric 
explosion because first a rewriting to basic form is needed. For these models K , SAT^ is 
known to be NP-complete. 



12 Expressiveness 

In this section we first show that the ternary conditional operator cannot be replaced by -i 
and ^\ and one of T and F (which together define V ) modulo free valuation congruence. 
Then we show that this is the case for any collection of unary and binary operators each 
of which is definable in Sep (^4) with free valuation congruence, and in a next theorem we 
lift this result to contractive valuation congruence. Finally we observe that the conditional 
operator is definable with -> and ^\ and one of T and F modulo memorizing valuation 
congruence. It remains an open question whether this is the case in weakly memorizing 
valuation congruence. 

An occurrence of an atom a in a propositional statement over A, ->, ^\ and V is redundant 
or inaccessible if it is not used along any of the possible arbitrary valuations, as in for example 
Fj\a. 
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The opposite of redundancy is accessibility, which is defined thus (acc(<fi) C A) : 

acc(a) = {a}, 
acc(T) = 0, 
acc{-ix) = acc{x), 

acc(x) if -iSAT/y-fa;), 

accix A v) = < 

V 6 y ' \acc(x) U acc(y) iiSATfr(x), 

o \acc(x) if -.SAT/ r (-ix), 

acc(a; Vt/)=< 

I acc(;r) U acc(y) if SATyy. (->#). 

Proposition 12.1. Let a G A 7 t/ien the propositional statement a<at>-<a cannot be expressed 
in Yicp{A) with free valuation congruence using J\, v , ->, T and F only. 

Proof. Let ip be a minimal expression of a < a > ->a. 
Assume ip = ipo "V V'l- We notice: 

• Both ^o and ^i must contain a: if "00 contains no a, it is either T and then ip always 
yields T which is wrong, or F and then -0 can be simplified; if ifii contains no a it 
is either T and then ip always yields T which is wrong, or F and then V F can be 
removed so ip was not minimal. 

• "00 can yield F otherwise ip is not minimal. It will do so after using exactly one test a 
(yielding F without a use of a simply means that a £ acc(ipo)), yielding F after two 
uses of a implies that evaluation of ip has at least three uses of a (which is wrong) . 

• ipQ has at most two uses of a if ipo yields T, and at most one use of a (so exactly 1) if 
ipo yields F. 

Thus, ipo — F < a > (a V T) or ipo = F < — ia o (a V T), where the a in the righthand sides 
equals either a or ^a, and these sides take their particular form by minimality (other forms 
are T V a = T, etc.). But both are impossible as both imply that after a first use of a the 
final value of ip can be independent of the second value returned for a which is not true for 
a < a \> ->a. 

For the case ip = ipo J\ ip\ a similar type of reasoning applies. □ 

Below we prove two more general results. We first introduce some auxiliary definitions and 
notations because we have to be precise about definability by unary and binary operators. 
For X a countable set of variables, we define 

T C {X) : the set of terms over X, T, F, _ < . > . . 
Ttnd(X) : the set of terms over X, T, -i, V. 
T c ' (X) : the smallest set of terms V such that 

• r,Fey, 
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• if x € X and t S T c {{x}) then f e V, 

• ii x,y e X and £ e Tb({x, y}) then teV, 



• 



y is closed under substitution. 



Thus T(j (X) contains the terms that can be made from unary and binary operators defin- 
able in Tc{X). For t G T c ' ({x}) we sometimes write t(x) instead of t, and if s £ TU' (X) we 
write t(s) for the term obtained by substituting s for all x in £. Similarly, if u £ Tq ({x, y}) 
we may write u(x, y) for u and if s, s' 6 T c ' (X) we write u(s, s') for the term obtained by 
substituting s for x and s' for y in w. Finally, we define #2p(£) as the number of 2-place 
terms used in the definition of t, i.e., 

#2 P (x) = # 2p (T) = # 2p (F)=0, 

#2p(*(«)) = #2p(*) + #2p(*), 

#2p(u(s, S')) = #2p(u) + #2p(s) + #2p(s'). 

Notice T TND (X) C K T C ' 2 (X) C K T C (X), where M C K N if for each term i e M there 
is a term r £ N with r =# t ior K <E {fr,rp, cr,wm,mem, st}. We write £#- for the 
membership relation associated with C. K . 

The sets Ttnd(A), Tq (A) and Tc(A) contain the closed substitution instances of the 
respective term sets when constants from A are substituted for the variables. The set 
T c ' (A,X) contains the terms constructed from Tq (A) and Tq (X). For given terms 
r(x) G Tq (A, {x}) and t <E T c ' (A) we write r(t) for the term obtained by substituting t 
for all x in r. (Another common notation for r{t) is [t/x]r(x).) We extend the definition of 
#2p(i) to T c ' (A, X) in the expected way by defining #2p(a) = for all a e A. 

Clearly for all K, 

Ttnd{A) C K T c ' 2 (A) C K Tc(A). 

From Proposition 112.11 we find that a < a > ->a £f r Ttnd (A) , thus 

Ttnd{A) £ fr T^ 2 (A). 

Theorem IT2T21 below establishes that T C ' 2 (A) £\ fr T C (A) as a«fe>c €/ r T C ' 2 (A). This result 
transfers to rp-congruence without modification. However, in wre-congruence we find 

a < b > c =wm (T < b > c) < (a < b > T) > F = (->b V a) J\ (b V c), 

thus a<b> c € wm Tq (A). 

Theorem 12.2. If \A\ > 2 then the conditional operator cannot be expressed modulo free 
valuation congruence in Tq (X). 

Proof. It is sufficient to prove that a <b> c gyy T c ' (A) . 

Towards a contradiction, assume t 6 T c ' (A) is a term such that t =f r a<ibt>c and #2p(i) 
is minimal (i.e., if u 6 Tq (A) and u =/ r t then #2p(^) > 4^2p(t)). 
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We first argue that t ^ f(b, t') for some binary function / and term t'. Suppose otherwise, 
then b must be the central condition in f(b, t'), so f(b, t') —f r g(b 7 t')<b> h(b, t') for certain 
binary functions g and h in T c ' (X). Because it is neither the case that b can occur as a 
central condition in both g(b,t') and in h(b,t'), nor that each of these can be modulo fr in 
{T,F}, we find 

t =fr (P<t'>Q)<b>(P' < i' > Q') 

for certain P,P',Q,Q'. The only possibilities left are that the central atom of t' is either a 
or c, and both choices contradict f(b, t') =/ r a <b> c. 

So it must be the case that 

t = r(f(b,t')) 

for some term r(x) £ Tq ({x}) such that b is central in f(b,t') and x is central in r{x). If 
no such term r(x) exists, then t = f'(a') with ,/'(x) a unary operator definable in T c ' ({a;}) 
and a' S A, which cannot hold because £ needs to contain a, & and c. 

Also there cannot be a unary function /' G T c ' ({a;}) with r(f'(b)) =/ r r(f(b,t')), other- 
wise r (/'(&)) £ Tc 2 (A) while 

# 2p (r) - # 2p (r(/'(6))) < # 2p (r(/(M'))) - #2 P (r) + # 2p (t') + 1, 

which contradicts the minimality of j^2p{t)- 
As x is central in /(x, y) we may write 

/(»> v) =fr g(x, y)<x> h(x, y) 
for certain binary functions g and h in T^' (X). Because b is central in t we find 

t= /r r(. 9 (M')<^>MM'))- 

We proceed with a case distinction on the form that g(b,t') and h(b,t') may take. At 
least one of these is modulo fr not equal to T or F (otherwise f(b, t 1 ) could be replaced by 
/'(&) for some unary function /' and this was excluded above). 

1. Suppose g(b,t') ^f r {T, F} and h(b,t') £:/ r {T, F}. First notice that b cannot occur as 
a central condition in both g(b,t') and in h(b,t'). So, both g{x,y) and h(x,y) can be 
written as a conditional composition with y as the central variable, and we find 

t =fr r((P < £' > Q) < 6 > (P' < t' t> Q')) 

for certain closed terms P, Q, P', Q'. By supposition t' ^f r {T, F}, and the only possi- 
bilities left are that its central atom equals both a and c, which clearly is impossible. 

2. We are left with four cases: either a is central in g(b, t') and h(b, t') <E/ r {T, F}, or c is 
central in h(b,t') and g(b,t') G/ r {T, i 71 }. These cases are symmetric and it suffices to 
consider only the first one, the others can be dealt with similarly. 
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So assume a is central in g(b,t') and h(b,t') =/ r T, hence 

g(b, t') = fr P<\at>Q for some P,Q E {T, F}. 
We find 

i = /r r((P<iai>Q)<6>r), 

and we distinguish two cases: 

i. P = T or Q = T. Now a central c can be reached after a negative reply to b. But 
this central c can also be reached after a positive reply to b and the appropriate reply 
to a, which contradicts free congruence with a<b> c. 

ii. P = Q = F. Then the reply to a in r((F < a > F) < & > T) is not used, which also 
contradicts free congruence with a <bt> c. 

This concludes our proof. □ 

We will now argue that a < b > c ^ cr T c ' (A). We will make use of additional operators 
T a and F a for each atom a £ A, defined for all b £ A and terms t,r <E T c ' (A) by 

T a (T)=T, F a {T) = F, 

T a (F) = r, F„(F) = F, 

T Q (i< b>r) = t<ibt>r if a ^ b, F a (t <b> r) = t <ib> r if a ^ 6, 

T (* < a > r) = T Q (i), F a (t <at>r)= F a (r). 

Observe that T a (F a ) simplifies a term t as if it is a subterm of a o i with the additional 
knowledge that the reply on a has been T. We notice that 

t < a > r = cr T a (t) <a> F a (r). 
We define a term P to have the property <j> a ,b,c if 

• the central atom of T b (P) equals a, T a {T b (P)) G cr {T, F} and F a (T b (P)) e cr {T,F}, 
and T a (T b (P)) ^ cr F a (T b (P)), 

• the central atom of F b (P) equals c, T c {T b (Pj) e cr {T,F} and F c {T b {P)) e cr {T,F}, 
and T c (T b (P)) + cr F c (T b (P)). 



Typically, a <bt> c has property (f) a 



b,c- 



Theorem 12.3. If \A\ > 2 t/ien the conditional operator cannot be expressed modulo con- 
tractive valuation congruence in T c ' (X). 

Proof. Let a,b,c £ A. It is sufficient to show that no term in T c ' (A) has property 4> a ,b,c- 
A detailed proof of this fact is included in Appendix [S] □ 
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Finally, we observe that x < y > z is expressible in CP mem using ^\ and -> only: first V is 
expressible, and 

CP mem h (y ^ x) V (-.j/ ^ z) = T < (x < y > F) > (z < (F < y > T) > F) 

= T < (x < y > F) > (F < y > z) 
= (T < x > (F < y > z)) < y > (F < y > z) 

= (T < a; > F) < 2/ > (F < y > z) 

= x <\y > z. 

Thus, for x,j/,2 6 Jit holds that (x<y>x) e mem T c ' (X). We leave it as an open question 
whether (x<y>z) £ mm Tq (X). 

13 Projections and the projective limit model 

In this section we introduce the projective limit model A°° for defining potentially infinite 
prepositional statements. 

Let V be the domain of the initial algebra of CP, so each element in V can be represented 
by a basic form. Let N + denote N \ {0}. We first define a so-called projection operator 

7T : N+ x V ->■ V, 

which will be used to finitely approximate every propositional statement in V . We further 
write 

7T„(P) 

instead of 7r(n, P). The defining equations for the -^-operators are these (n £ N + ): 

v n {T) = T, (20) 

7T„(F)=F, (21) 

m(x < a > y) = a, (22) 

ir n+ i(x<ia>y) = 7r„(x) <a>7r„(j/), (23) 

for all a G A. We write PR for this set of equations. 

We state without proof that CP + PR is a conservative extension of CP and mention the 
following derivable identities in CP + PR for a G A and n G N + : 

7r„ (a) = 7r„ (T < a > F) = a, 
7T„+i(a o z) = a o 7T„(a;). 

Below we prove that for each propositional statement P there exists n G N + such that for 
all j G N, 

n n+j (P) = P. 
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The following lemma establishes how the arguments of the projection of a conditional 
composition can be restricted to certain projections, in particular 

7T„(P <Q>R)= 7T„(7r„(P) < 7T n (Q) > 7T„(P)), (24) 

which is a property that we will use in the definition of our projective limit model. 

Lemma 13.1. For all P,Q,ReV and all neN + , k, £, m E N, 

ir n (P<iQ>R) = ir n (ir n+k (P) <ir n+e (Q) >ir n+m (R)). 

Proof. We may assume that Q is a basic form. We apply structural induction on Q. 
If Q = T then we have to prove that for all n G N + and k 6 N, 

7T„(P) = 7T„(7T„ +fc (P)). 

We may assume that P is a basic form and we apply structural induction on P. If P G {T, P} 
we are done. If P = Pi <a>P 2 then we proceed by induction on n. The case n = 1 is trivial, 
and 

7T„ + l(P) = 7T n+ l(Pl <a>P 2 ) 

= TTn(Pl) <a>7T n (P 2 ) 

= n n (ir n+k (Pi))<ia>ir n (ir n+k (P2)) 

= 7Tn+l(7I"n+fe(Pl) O a t> 7T„ +fe (P 2 )) 

If Q = F: similar. 

If Q = Qi < a > Q 2 then we proceed by induction on n. The case n = 1 is trivial, and 

7T„+l(P<lQl>P) 

= 7T„ + i(P<(Qi <ia>Q 2 )>P) 

= 7r n+1 ((P < Qx > R) < a > (P < Q 2 > P)) 

= 7T„ (P < Ql > P) < a > 7T n (P < Q 2 > P) 

= TT n (n n +k(P) <nr n+ e(Qi) > ir n+m {R)) <i a > ir n (n n+ h(P) <TT n +i{Qi) >ir n+m (R)) 

= TT n (ir n+k+1 (P) < ^n+t(Ql) >7T n +m+l(P)) < « > 7T« (^n+k+1 (P) <l7T n +£(Q2) >7T n+m+ l(P)) 
7r„ + l((7T„ +fe+ i(P) <l7T n+ £(Qi) >7T„ +m+ i(P)) < a > ("7r„ +fe+ i (P) < 7T„ + ^(Q 2 ) > Kn+m+1 (R))) 

= 7r n+ i(7r n +fc+i(P) <(7T„ + ^(Qi) <a>ir n+e (Q 2 )) >ir n+m+1 (R)) 

= K n+1 (Tl n+ l +k (P) <-K n +i+e.{Q) >7T„ + 1 +TO (P)). 

a 

The projective limit model A°° is defined as follows: 
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• The domain of A°° is the set of projective sequences (P n ) n eN+ : these are all sequences 
with the property that all P n are in V and satisfy 

TT„(Pn+l) = Pn, 

so that they can be seen as successive projections of the same infinite propositional 
statement (observe that n n (P n ) — P n )- We write V°° for this domain, and we further 
write (P„)„ instead of (P„) nG N+- 

• Equivalence of projective sequences in A°° is defined component-wise, thus (P n )n = 
{Qn)n if for all n, P n = Q n . 

• The constants T and F are interpreted in A°° as the projective sequences that consist 
solely of these respective constants. 

• An atomic proposition a is interpreted in A°° as the projective sequence (a, a, a, ...). 

• Projection in A°° is defined component-wise, thus 7Tfc((P„)„) = (irk{P n ))n- 

• Conditional composition in A°° is defined using projections: 

(Pn)n < {Qn)n > (Rn)n = (7T„(P n < Q n > Rn))n- 

The projections are needed if the depth of a component P n < Q n > R n exceeds n. 
equation (|24[) implies that this definition indeed yields a projective sequence: 

^n(^n+l{Pn+l < Qn+1 > -R«+l)) = K n (P n+ i < Q„+i > i?„+l) 

= 7T„(7T„(P n+ l)<l7r n (Q n+ l) >7T n (i?„ + i)) 
= 7T„(P„ <Q„>P tn ). 

The following result can be proved straightforwardly: 
Theorem 13.2. A°° |= CP + PR. 

The projective limit model A°° contains elements that are not the interpretation of finite 
propositional statements in V (in other words, elements of infinite depth). In the next 
section we discuss some examples. 

14 Recursive specifications 

In this section we discuss recursive specifications over Ecp (A) , which provide an alternative 
and simple way to define propositional statements in A°°. We first restrict ourselves to a 
simple class of recursive specifications: Given t > 0, a set 

E = {X i = t i \i = l,...,i} 

of equations is a linear specification over Ecp (A) if 

t i ::=T\F\X j <a i >X k 
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for i,j,k £ {1, ■■-,£} and di G A. A solution for 25 in A°° is a series of prepositional 
statements 

(-Pl,n)ni •••) {Pl,n)n 

such that (Pi t n) n solves the equation for Xi. In A°°, solutions for linear specifications 
exist. This follows from the property that for each to £ N + , 7r m (Xj) can be computed as a 
prepositional statement in V by replacing variables Xj by tj sufficiently often. For example, 
if 

E = {X 1 =X 3 <a>X 2 , X 2 =bo Xi, X 3 = T} 

we find 7r m (X 3 ) = 7r m (T) = T for all to e N+, and 

7ri(X 2 ) = 7Tl(&oXl) Tr m +i(X 2 ) = Ti m+ i{bo Xi) 

= b, =boir m (Xi), 

7Ti(Xi) = tti(X 3 <iat> X 2 ) ir m+ i(X 1 ) = ir m+ i(X 3 <iat>X 2 ) 

= a, = T <a>TT m (X 2 ), 

and we can in this way construct a projective sequence per variable. We state without proof 
that for a linear specification E = {Xi = ti \ i — 1, ...,£} such sequences model unique 
solutions in A°° |^| and we write 

(Xi\E) 

for the solution of Xi as defined in E. In order to reason about linearly specified propositional 
statements, we add these constants to the signature EcPi which consequently satisfy the 
equations 

{XAE) = (ti\E) 

where (ti\E) is defined by replacing each Xj in ti by (Xj\E). The proof principle introducing 
these identities is called the Recursive Definition Principle (RDP), and for linear specifica- 
tions RDP is valid in the projective limit model A°°o As illustrated above, all solutions 

satisfy 

(X t \E) = {n n {{Xi\E))) n . 
Some examples of propositional statements defined by recursive specifications are these: 



1 A°° can be turned into a metric space by defining d((P n ) n ,(Q n ) n ) = 2~ n for n the least value with 
P n ^ Q n . The existence of unique solutions for linear specifications then follows from Banach's fixed point 
theorem; a comparable and detailed account of this fact can be found in |25| . 

2 A nice and comparable account of the validity of RDP in the projective limit model for ACP is given in pQ. 
In that text book, a sharp distinction is made between RDP — stating that certain recursive specifications 
have at least a solution per variable — and the Recursive Specification Principle (RSP), stating that they 
have at most one solution per variable. The uniqueness of solutions per variable then follows by establishing 
the validity of both RDP and RSP. 
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• For E = {Xi = X 2 < a > X 3 , X 2 = T, X 3 = F} wc find 

(X 1 \E) = (a, a, a, ...) 

which in the projective limit model represents the atomic proposition a. Indeed, by 
RDP we find (X^E) = (X 2 \E) <o> (X S \E) = T<a>F = a. 

• For E = {Xi = X 2 < a > X 3) X 2 =T, X 3 = T} wc find 

(Xi \E) — (a, aoT, a o T, aoT, ...) 
which in the projective limit model represents aoT. By RDP we find (X\ \E) = a o T . 

• For E = {Xi = X 3 <a> X 2l X 2 = b o X\, X3 = T} as discussed above, we find 

(Xi\E) = (a, T<a>b, T<a>boa, T <a>bo (T <a>b), ...) 

which in the projective limit model represents an infinite propositional statement, that 
is, one that satisfies 

n ({X 1 \E))=Tr j ((X 1 \E}) => i = j, 

and thus has infinite depth. By RDP we find (Xi\E) =T<a>bo (Xi\E). We note 
that the infinite propositional statement (X±\E) can be characterized as 

while ^a do b. 

An example of a projective sequence that cannot be defined by a linear specification, but 
that can be defined by the infinite linear specification / = {Xi — U \ i G N + } with 

{a o Xi+\ if i is prime, 
b o Xi + i otherwise, 

is (Xi\I), satisfying 

(Xi\I) — (b, boa, boaoa, boaoaob, boaoaoboa, ...). 

Other examples of projective sequences that cannot be defined by a finite linear specification 
are (Xj\I) for any j > 1. 

Returning to Example (Q]) of a propositional statement sketched in Section [5J we can be 
more explicit now: the recursively defined propositional statement (X\\E) with E containing 

X\ = X 2 < green-light > X\ , 

X 2 = X3 < [look-left- and- check J\ look-right- and- check J\ look-left- and- check) >X\, 

X 3 = ... 

models in a straightforward way a slightly larger part of the processing of a pedestrian 
planning to cross a road with two-way traffic driving on the right. 
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15 Application perspective 

Although we consider the family of models for CP, ranging from free valuation congruence 
to static valuation congruence to be of independent importance, it is evidently reasonable 
to ask what application perspective these matters may have. 

There is a remarkably wide range of scenarios of usage for propositional statements in 
general. A proposition P may be used to express a matter of fact, a belief, an objective or 
a desire. It may also express a general law considered invariant in time in an appropriate 
setting, or rather an (intended) variant for some product of human design. Then P may 
serve as an element of a knowledge-base, or as a phrase used in communication or broadcast. 
Finally and most relevant to the discussion below a major use for a proposition is to serve 
as a condition which impacts future behavior. This is primarily exemplified in program 
fragments of the form 

...; if {P} then {Si} else {S2}', ■■■ 

During execution of this fragment, P must be evaluated. Evaluation of P can take many 
forms, ranging from finding a proof for cither P or ->P from the information contained 
in some knowledge-base, by means of either monotonic or non-monotonic logic, perhaps 
constrained by resource bounds, to bottom-up evaluation using the atoms contained in P as 
primitive queries. The primary role of P as a propositional statement with constants from 
A U {T, F} and connectives -1, ^\ , V , _ < _ > _ is to serve as a condition in the latter sense, as 
P expresses a meaningful condition while its particular form in addition has an algorithmic 
significance by imposing a specific strategy for sequential bottom-up evaluation. 

Let P — a J\ ((by (->a J\ c)) V (d J\ _, a)). Then evaluation of P will involve one, two or 
even three evaluations of a. To begin with we provide a survey of different ways in which 
the atomic query a can be handled: 

1. The atomic query a may inspect a static database. Subsequent queries provide identical 
results, different queries don't affect one another. 

2. The atomic query a may inspect a dynamic database. Subsequent queries may return 
different values but will not cause fluctuations in the response of other atomic queries. 

3. The atomic query a may be handed over to a "truth maintenance system" (TMS) 
which tries to prove it, and otherwise returns F. The knowledge-base managed by this 
TMS itself may be regularly changed by means of a mechanism (often called a "belief 
revision mechanism") that processes a stream of incoming, potentially authoritative 
information. 

4. The atomic query a itself may call another program that has some or even significant 
side effects which may influence the replies provided for forthcoming atomic tests. 

5. Like 4, but observing the side effect of a task may be limited to agents that operate 
on a high security level. 

We say that a propositional statement P is in monotest form if no atom can be evaluated 
more than once. If P is in monotest form then fluctuations regarding the evaluation of a 
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single test have no impact on P. Rewriting to monotest form can always be done mod- 
ulo static valuation congruence. The operator caching (X) on basic forms will produce an 
equivalent monotest form: 

caching (T) = T, caching (F) = F 
caching (x <\a\> y) = caching ([T / a]x) <a> caching {[F / a]y) . 

Now transforming a propositional statement P into caching (bf(P)) may involve a combi- 
natorial explosion in size. Suppose mf(P) finds a monotest form for P modulo = mem in 
polynomial time. Then 

SAT roero (P) <=>• SAT roero (m/(P)) «=>• SAT cr (m/(P)). 

Then SAT mem would be in P while it is known to be NP-complete. As it turns out, the 
combinatorial explosion in size that comes with the transformation P n> caching (bf(P)) is 
no coincidence and for that reason for larger conditions it is reasonable to assume that these 
are not in monotest form. 

Except for the case that atomic tests are evaluated from a static database, fluctuating 
replies cannot be excluded. Now consider program X with 

X = C[if {P} then {S*i} else {S 2 }} 

and assume that P is not in monotest form and that subsequent evaluations of atomic tests 
may have different results. At this stage awareness of proposition algebra may be of use in 
contemplating revisions of the design of the program. If the "internal logic" of P (i.e., the 
rationale of P's occurrence in X) is defeated by such fluctuations, 

C[if {caching (bf(P))} then {Si} else {S 2 }} 

may be considered an improved design of the program (to implement this concisely, one 
may need auxiliary Boolean variables). But a disadvantage of this transformation is that 
in some cases a cached outcome of an atomic test is "outdated" . If neither consistency (no 
fluctuation) , nor the use of outdated values is a serious worry, there is no incentive to change 
the design of X. If, however, the use of of outdated values is to be preferably prevented, 
then one may instead decide to restart the evaluation of P whenever a repeated atomic test 
returns a different value. Here is an operation re-eval y W (Q) which serves that purpose, 
where V,W C A, V DW = and Q is a subformula of P. re-eval y W (Q) evaluates Q using 
the information that preceding tests a d V have returned T and preceding tests a G W have 
returned F. If a reply is observed that fails to match with this information, evaluation of P 
starts again with both V and W made empty: 

re-eval (P) = re-evala a(P), 
re-evalv,w( T ) = T > re-eval v,w( F ) = F > 
re-eval y W (Q < a > R) = re-eval vu{a},w(Q) <at> re - eva l v,wu{a}(R) it a (£V UW, 
re-eval VW (Q <a> R) — re-eval VW (Q) <a> re-eval ^ a(P) if a G V, 
re-eval VW (Q <d a > R) = re-eval ^ a(P) <a\> re-eval VW (R) if a G W . 
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Observe that re-eval p (P) determines a proposition in the projective limit model. 

Now one may be afraid that repeated fluctuations cause re-eval p (P) to diverge in adverse 
circumstances. A new test DLNI (deadline not immanent) may be introduced which is used 
to assert whether or not time suffices for a full re-evaluation of P. The following modification 
for the design of re-eval p is plausible: 

re-eval vw (Q oa> R) — re-eval vw (Q) < a t> (re-eval g g(-P) < DLNI o R) if a 6 V, 

and symmetrically for a 6 W . Now one might be dissatisfied with R not using the informa- 
tion contained in V and W. Then one may use instead [T/V, F/W)R, the modification of 
R in which its atoms that are in V (W) are substituted by T (F): 

re-eval^ w (Q«X>R) = re-eval^ w (Q)<at>(re-eval P J!j (P)<iDLNIt>[T/V,F/W}R) if a 6 V, 

and symmetrically for a £ W. 

Proposition algebra provides an approach that allows to compare and develop these design 
alternatives within a formal setting. The advantage of doing so is a matter of separation of 
concerns, which can be considered a big issue for imperative programming. 

16 Conclusions 

Proposition algebra in the form of CP for propositional statements with conditional com- 
position and either enriched or not with negation and sequential connectives, is proposed as 
an abstract data type. Free valuations provide the natural semantics for CP and these are 
semantically at the opposite end of static valuations. It is shown that taking conditional 
composition and free valuations as a point of departure implies that a ternary connective is 
needed for functional completeness; binary connectives are not sufficient. Furthermore, CP 
admits a meaningful and non-trivial extension to projective limits, and this constitutes the 
most simple case of an inverse limit construction that we can think of. 

The potential role of proposition algebra is only touched upon by some examples. It 
remains a challenge to find convincing examples that require reactive valuations, and to 
find earlier accounts of this type of semantics for propositional logic. The basic idea of 
proposition algebra with free and reactive valuations can be seen as a combination of the 
following two ideas: 

• Consider atomic propositions as events (queries) that can have a side effect in a se- 
quential system, and take McCarthy's sequential evaluation as described in |20| to 
2-valued propositional logic; this motivates reactive valuations as those that define 
evaluation or computation as a sequential phenomenon. 

• In the resulting setting, Hoare's conditional composition as introduced in |17] is more 
natural than the sequential, non-commutative versions of conjunction and disjunction, 
and (as it appears) more expressive: a ternary connective is needed anyhow. 

For conditional composition we have chosen for the notation 
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from Hoare [T7] in spite of the fact that our theme is technically closer to thread algebra [B] 
where a different notation is used. We chose for the notation _< _> _ because its most well- 
known semantics is static valuation semantics (which is simply conventional propositional 
logic) for which this notation was introduced in [TTJu To some extent, thread algebra 
and propositional logic in the style of FT] are models of the same signature. A much 
more involved use of conditional composition can be found in |23j , where the propositional 
fragment of Belnap's four- valued logic |2 is characterized using only conditional composition 
and his four constants representing these truth values. 

In this paper we assumed that \A\ > 1. The case that \A\ = 1 is in detail described 
in |24) . In particular, = rp and — s t and thus all valuation congruences in between coincide 
in this case. 

Related work. We end with a few notes on related matters. 

1. On McCarthy's conditional expressions [20 . In quite a few papers the 'lazy evaluation' 
semantics proposed in McCarthy's work is discussed, or taken as a point of departure. 
We mention a few of these in reverse chronological order: 

Hahnle states in his paper Many-valued logic, partiality, and abstraction in formal 
specification languages [15 that 

"sequential conjunction [...] represents the idea that if the truth value can 
be determined after evaluation of the first argument, then the result is com- 
puted without looking at the second argument. Many programming languages 
contain operators that exhibit this kind of behavior". 

Furthermore, Konikowska describes in [19] a model of so-called McCarthy algebras 
in terms of three-valued logic, while restricting to the well-known symmetric binary 
connectives, and provides sound axiomatizations and representation results. This is 
achieved by admitting only T and F as constants in a McCarthy algebra, and distin- 
guishing an clement a as in one of four possible classes ('positive' if a\/x — a, 'negative' 
if a A x — a, 'defined' if a A ~^a — F, and 'strictly undefined' if a — ->a). 

Finally, Bloom and Tindell discuss in their paper Varieties of "if-then- else" [11] various 
modelings of conditional composition, both with and without a truth value undefined, 
while restricting to the "redundancy law" 

(x<y>z)<y>u — x <iy> u, 

a law that we called CPcontr in Section [5] and that generalizes the axiomatization of 
contractive valuation congruence defined in that section to an extent in which only 
the difference beteen T , F and undefined plays a decisive role. 

As far as we can see, none of the papers mentioned here even suggests the idea of free 
or reactive valuation semantics. Another example where sequential operators play a 



3 This notation was used by Hoare in his 1985 book on CSP |18l and by Hoare et al. in the well-known 
1987 paper Laws of Programming 1161 for expressions P <l b t> Q with P and Q programs and b a Boolean 
expression without mention of |17| that appeared in 1985. 



REFERENCES 39 



role is Quantum logic (for a brief overview see [25), where next to normal conjunction 
a notion of sequential conjunction n is exploited that is very similar to ^\ (and that 
despite its notation is certainly not symmetric). 

2. Concerning projections and the projective limit model A°° we mention that in much 
current research and exposition, projections are defined also for depth (see, e.g., [BJ 
[25] for thread algebra, and [14] for process algebra). However, CP does not have a 
natural candidate for 7To (P) and therefore we stick to the original approach as described 
in [5] (and overviewed in [TJ) that starts from projections with depth 1. 

3. Reactive valuations were in a different form employed in accounts of process alge- 
bra with propositional statements: in terms of operational semantics, this involves 
transitions 

P a ^Q 

for process expressions P and Q with a an action and w ranging over a class of 
valuations. In particular this approach deals with process expressions that contain 
propositional statements in the form of guarded commands, such as <f> :— > P that has 
a transition 

{<t> :-► P) *t Q 
if P -h- Q and w(<fi) = T. For more information about this approach, see, e.g., [7] [8]. 
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A Proof of Theorem \TT3\ 

Proof. This proof has the same structure as the proof of Theorem 112.21 but a few cases 
require more elaboration. 

Towards a contradiction, assume that t £ Tq' (A) is a term with property 4> a ,b,c and 
4f z 2p{t) is minimal. 

We first argue that t ^ /(&, £') for some binary function / and term t 1 . Suppose otherwise, 
then b must be the central condition in f(b,t'), so f(b,t') — C r g(b,t') <b>h(b,t') for certain 
binary functions g and h in Tq (X). Notice that because b is not central in T b (g(b,t')), a 
different atom must be central in this term, and this atom must be a. For this to hold, a 
must be central in T b (t') and no atom different from a can be tested by the first requirement 
of 4> a ,b,c- So, after contraction of all further <z's we find 

T b (t')= cr P<iat>Q 

with P,Q £ {T, F}, and similary 

F b (t')= cr P'<c>Q' 

with P',Q' £ {T,F}. If P jk Q and P' jt Q', then t' is a term that satisfies <f> a>biC , but t' 
is a term with lower ^2p-value than g(b,t') <b> h(b,t'), which is a contradiction. If either 
P = Q or P' = Q', then 

t = cr (P < a > Q) < b > (P' < c > Q'), 

which contradicts <f> a ,b,c- 

So it must be the case that 

t = r(f(b,t')) 

for some term r(x) £ Tq ({x}) such that b is central in /(&,£') and x is central in r(x). 
If no such such term r(x) exists, then t = f'(a') with fix) a unary operator definable in 
Tq ({a:}) and a' £ A, which cannot hold because t needs to contain a, b and c. 

Also there cannot be a unary function /' £ Tq ({x}) with r(f'(b)) = cr r(/(6, £')), other- 
wise r(/'(6)) £ T^ 2 (A) while # 2p (r(/'(6))) < # 2p (r(/(6, f))), which is a contradiction. 
As a; is central in /(x, y) we may write 

/(*> 2/) =cr ff(x, y) < a; > h(x, y) 

for binary operators g and /i. Because b is central in £ we find 

t =cr r(T b {g(b, t 1 )) < b > F 6 (ft(6, t'))) . 
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We proceed with a case distinction on the form that Tb(g(b, £')) and Fb(h(b, t'j) may take. 
At least one of these is modulo cr not equal to T or F (otherwise f(b, t') could be replaced 
by fib) for some unary function /' and this was excluded above). 

1. Suppose T b (g(b,t')) <? cr {T,F} and F b {h{b,t')) ^cv {T,F}. We show that this is not 
possible: first notice that because b is not central in Tf,(g(b, £')), a different atom must 
be central in this term, and this atom must be a. For this to hold, a must be central 
in Tb(t') and no atom different from a can be tested by the first requirement of 4> a ,b,c- 
So, after contraction of all further a's we find 

T b {t') = cr P<a>Q 

with P, Q £ {T, F}, and similary F b (t') = cr P'<ct>Q' with P',Q' £ {T, F}. 

If P ^ Q and P' ^ Q', then t' is a term that satisfies 4> a ,b,c, but t' is a term with lower 
#2p-value than r(g(b, £')<&> h(b, £')), which is a contradiction. 

Assume P = Q (the case P' = Q' is symmetric). 

Now t — cr r(Tb(g(b,t')) <b> Fb(h(b,t'))), and no 6's can occur in Tb(g(b,t')), so 

T b {g(b,t')) £ cr {P<a>Q, F <(P <a> Q)>T, (P<a>Q)oT, (P<a>Q)oF}. 
For Fb(h(b,t')) a similar argument applies, which implies that (recall P = Q) 

T b (g(b,t')) = cr aoP and F b {h{b,t')) = er P'<c>Q' with P,P',Q' £ {T,F}. 
Assume P = T (the case P = F is symmetric) . So in this case 

t = cr r((a o T) < b > (P' < c > Q')) > 

and we distinguish two cases: 

«. P' = T or Q' = T. Now the reply to a in a o T following a positive reply to the 
initial b has no effect, so this a must be followed by another central a. But this last a 
can also be reached after a b and a c, which contradicts <j) a ,b,c- 

ii. P' = Q' = F. Since property 4> a ,b,c holds it must be the case that a is a central 
condition in r{T) with the property that T a (r(T)) y^ cr F a (r(T)), otherwise the initial 
b that stems from the substitution x i— > (a o T) <i b > (c o F) in r(x) is upon reply T 
immediately followed by a o T and each occurrence of this a is not able to yield both 
T and F, contradicting 4> a ,b.c- (And also because this substitution yields no further 
occurrences of b upon reply T.) 

Similarly, c is a central condition in r(F) with the property that T c (r(F)) ^ cr F c (r(F)). 
We find that r(b) also satisfies 4> a ,b,c- Now observe that r(b) is a term with lower #2p- 
value than r(f(b,t')), which is a contradiction. 

2. We are left with four cases: either a is central in Tb(g(b, if)) and Fb(h(b, t')) £ cr {T, F}, 
or c is central in Fb(h(b,t')) and Tb(g(b,t')) £ cr {T, F}. These cases are symmetric 
and it suffices to consider only the first one, the others can be dealt with similarly. 
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So assume a is central in Tb(g(b, t'j) and Ft,(h(b, t'j) — cr T. This implies Tb(g(b, t')) = cr 
P <sa>Q for some P, Q, and after contraction of all a's in P and Q, 

T b (g{b, t')) = cr P' <a>Q' for some P' , Q' G {T, F}. 

We find 

t=cr r((P'<a>Q')<b>T), 

and we distinguish two cases: 

i, P' = T or Q' = T. Now c can be reached after a negative reply to b according to 
<j>a,b,ci but this c can also be reached after a positive reply to b and the appropriate 
reply to a, which contradicts <p a ,b,c- 

ii. P' = Q' = F. Since property (f> a ,b,c holds it must be the case that a is a central 
condition in r(F) with the property that T a (r(F)) ^ cr F a (r(F)), otherwise the initial b 
that stems from the substitution x t-t (aoF)<b>T in r(x) is upon reply T immediately 
followed by a o F and each occurrence of this a is not able to yield both T and F, 
contradicting <p a ,b,c- (And also because this substitution yields no further occurrences 
of b upon reply T .) 

Also, c is a central condition in r(T) with the property that T c (r(T)) ^ cr F c (r(T)). 
We find that r(b) also satisfies 4> a .b,c- Now observe that r(b) is a term with lower 
#2p-value than r(/(6,i')), which is a contradiction. 

This concludes our proof. □ 



